Data Access Control Policy

Policy:

1. Compliance with our website Access Control Policy enables consistent resource controls throughout site to minimize exposure to security breaches, while allowing systems administrators in the Deanship of Information Technology to conduct their activities within a legitimate framework.
2. Access, dissemination and authorization of information flow and business processes are controlled on the basis of business and security requirements.
3. Access to sit information, data, software, resources and hardware is restricted to authorized users only to prevent accidental or unintentional exposure or amendment to application software, information or data.

Operational Policies and Procedures:

1. User Access Management
2. User Registration:

1. The User ID Registration Procedure governs the authorization, deactivation and deletion of accounts.
2. Authorized user accounts (site users, third-party contractors/vendors, client representatives) shall be created/activated for a required period of time, as per the respective academic, administrative or business needs.
3. User IDs should follow standard conventions relevant to User Name, Attributes, Distribution Lists, Security Groups Association, Mailbox properties, etc., as specified in the User ID Registration Procedure.

1. Authorization:

User accounts are only to be created, deactivated or deleted following the approval of the correct authority. It is the responsibility of the authorized personnel who creates user accounts to confirm that the level of authority has been granted whenever and wherever required.

1. Traceability:

1. Unique user accounts are to be created so that the identity of all users can be established at all times during their computer and related facilities usage.
2. Periodic user ID reconciliation will be performed.
3. A unique reference number will be attached to each User ID creation request, to enable reverse traceability.
4. Shared user ID (shared account between multiple users) are to be created for internal use only, internet access will be blocked for such accounts.
5. Shared mailbox IDs (shared mailbox between multiple users) are to be created and assigned an owner for traceability and accountability.

1. Accountability:

The User ID registration procedure contains specific responsibilities for personnel operating critical functions in the creation, discontinuation and deletion process for user IDs or other functions. These procedures ensure that there are no conflicts of interest, such as a requester being also an approver.

1. Privilege Management:

1. Access to operating systems and applications is to be generally restricted to designated administrators and staff members who are associated with the management and maintenance of the respective platforms.
2. Users are assigned specific account profiles and privileges as defined and authorized by their respective function head in accordance with their particular function or role.
3. User privileges are to be reviewed on a regular and frequent basis (the interval of review is established by the agreement with data custodian or system owner) and necessary action must be taken based on the outcome of the review process. Access will be revoked where the circumstances of those who have been granted privileges no longer allowed such access.

1. Password Management:

The assignment/use of passwords is controlled in accordance with the defined Password Policy.

1. Review User Access Management:

1. The Deanship of Information Technology will have in place procedures by which identified teams review the occurrences of user IDs and access rights.
2. Bi-annual audits will ensure that the access rights and user IDs of users who have left the Institution have been removed.
3. A process shall be in place to ensure that access rights of users who have been transferred to different locations, different departments, etc. are changed in light of the change in job requirements and are modified accordingly in the system. This process is activated following Human Resources notification.
4. The users’ access rights are reviewed at regular intervals.

2 . Network Access Controls

1. User Authentication for External Connections:

1. VPN (Virtual Private Network) connectivity shall be provided to remote users with proper approvals to specific resources only.
2. Encryption shall be enabled to encrypt the traffic between client and server for remote users.

1. Network Perimeter Security:

1. Internal networks shall be protected and separated from the Internet and other organizations’ networks through firewalls.
2. Border routers/firewalls shall be configured to prevent IP spoofing, interruption of service, and other common Internet-based attacks.
3. Firewalls shall be specifically configured to deny all incoming connections except the ones that are specifically required for process or business requirements and have been formally documented and approved. Any connection from the external network must be provided through firewall with proper approvals.
4. Any unauthorized remote access control is not allowed.

1. Server Security:

1. No server shall be exposed directly on the Internet. All servers and/or servers under the Deanship of Information Technology custody shall be placed on internal zone of the firewall.
2. Servers that are accessible from the Internet shall be deployed in a DMZ (Demilitarized Zone) and IP addresses shall be NATed (Network Address Translation).
3. All servers shall be hardened as per the specified Hardening Documents provided by hardware and operating systems suppliers.
4. Servers should be deployed in a different VLAN (Virtual Local Area Network).
5. All servers on UQU network shall maintain clock synchronization to ensure that audit trails are accurate.
6. VA (Vulnerability Assessment) / PT (Penetration Testing) should be conducted before moving to production network.
7. All systems should forward all logs to a central logging system provided by the Deanship of Information Technology.
8. Servers should be installed in a physically secure server rooms after the approval of the Deanship of Information Technology.

1. Network Equipment Security:

1. Diagnostic/externally accessible/dial-up ports shall remain disabled on all the active network elements and systems, unless specifically opened for some particular activity such as business/client requirements, activities such as PT (Penetration Testing)/VA (Vulnerability Assessment), etc. Appropriate approval from the Deanship of Information technology shall be obtained prior to commencing the activity.
2. All network elements on the UQU network shall maintain clock synchronization to ensure that audit trails are accurate.

1. Internal Network Security:

Network devices shall be configured to ensure that user access to systems is restricted to required services and unlimited network roaming is avoided. This is to be accomplished by:

1. Segregating production networks from non-production networks.
2. Segregating networking equipment and servers from user environment.

1. Network Change Management:

All changes to the network architecture or configurations on the network elements that could impact security (movement of servers, addition of new servers and network devices, etc.) shall follow the Change Management Process defined by the Information Technology Deanship.

3. Operating System Access Control
4. Secure Log-on Procedures:

1. Access to information services shall be made available via a secure log-on process. The procedure for logging on to a computer system shall disclose minimum information about the system in order to prevent unauthorized users from accessing unnecessary information.
2. The log-on procedure includes the following characteristics:

• All systems shall have a standard log-on banner configured, clearly stating that the system is for authorized UQU users only and may be monitored.
• The log-on procedure shall not detail errors during log-on.
• Systems shall be configured to lock the user account after predefined unsuccessful attempts.
• Unsuccessful log-on attempts for all users shall be logged.
• All log-on attempts for technical users (viz. system administrators, DBAs (database administrators), network administrators, etc.) shall be duly logged and maintained for a predefined period.

1. User Identification and Authentication:

1. All users (including technical support staff, such as operators, network administrators, system programmers and database administrators) shall have a unique identifier (user ID) so that activities can subsequently be traced to the responsible individual. User IDs should not give any indication of the user’s privilege/organizational level, e.g. manager, supervisor.
2. All authorized users on a particular system will be made part of a separate group so that an audit trail can be maintained.
3. Any user account which is suspected of being compromised or sharing password will be disabled temporarily. The account owner will be informed and a security incident will be logged with the Helpdesk for further investigation and resolution.

1. Password Management System:

A password management system helps user to select strong passwords and enforces certain password guidelines, which users should follow.

The password management system in use shall have the following features, as a minimum:

1. The system should only allow the selection of passwords as described in the Defined Password Policy.
2. The system should allow users to change their passwords.
3. The system should be able to maintain password age and history as defined in the Password Policy, and prevent re-use based on the same.
4. The system should not store the passwords in clear text. It should store passwords using encryption.
5. The system should force the users to change temporary passwords on their first log-on.
6. The system should not display passwords on screen when they are being entered.
7. The system should provide confirmation when passwords have been successfully changed.